Page 106 - Cyber Defense eMagazine forJune 2021
P. 106
client; choosing to provide login with an admin account, a shared account or their own account; or
choosing a cloud SaaS service or an on-premises server gateway for access.
Customize the experience using abundant options
For most users, a browser-based portal is probably the best option that will satisfy most users. There are
many situations where a browser interface is simply the easiest, since it doesn’t require anything on the
workstation, including network connectivity. This model works extremely well for temporary access with
outsourced IT, or in remote working arrangements when staff are working primarily outside the corporate
firewall.
IT staff may prefer to use a native remote access client under some circumstances, but the networking
requirements make connectivity difficult without providing a VPN connection for the user. Normally, there
are firewall boundaries around the machines in a data center and to connect by server name the user
does a DNS lookup for the target they are trying to get to. However, it won’t work to establish a connection
if the workstation’s native client cannot perform the DNS lookup.
A safe bet is to find a solution that can act as a jump host and offer the ability to accept inbound
connections. Then, find the local systems in order to enable login as well as recording those sessions.
But what if an administrator wants to use a native client to Remote Desktop Protocol (RDP) vs. using a
browser? Or if they want to log in as themselves and use their entitlements and privileges, or use an
Alternate Admin account? They will need other options.
Options are great – but are they easy?
The strongest options will remove any and all obstacles to privileged access and make every option
available based on the preferences of the administrator, and to enforce the security needed while
simplifying access for the IT staff. In particular, two features enable the most choice:
First, using a native client by itself to access a specific target without having to visit a central portal:
usually there is a firewall between the native client and the target system, so IT can use a jump host to
broker the connection for the user to the target. Second, look for “use-my-account” (UMA) capabilities:
once the user authenticates to a cloud service, they may want to use their own account to log into a target
machine.
Organizations can also choose to enable a single pane of glass to work for both cloud-based PAM as
well as traditional break-glass password vault scenarios. For example, should an IT administrator break
glass or just log in as normal and use privilege elevation? With permissions they can do that. They don’t
need anything on the machine, or they can use a browser on a laptop, workstation, or even a tablet or
mobile device. Connectivity to any of the target systems is not necessary.
Ultimately, empowering privileged access controls should be as simple as picking a client, picking the
network connectivity, and picking an identity. Whether an organization provides privileged access tools
may depend on which side of the flipped coin they land on. If not, it is almost a guarantee that IT staff will
find creative ways to work around security best practices to suit their preferences.
IT professionals want ease of use and access, just as business users do. To work on servers and other
infrastructure, IT staff will seek the ways they are accustomed to, regardless of whether is aligns with
Cyber Defense eMagazine – June 2021 Edition 106
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.